PsychoBreak

Target IP: 10.10.175.30

Help Sebastian and his team of investigators to withstand the dangers that come ahead.


Scanning

e71eb64face6e6e1739b0cab6f8a5496.png
There are three TCP ports open on the target machine: FTP, SSH, and HTTP.
The Ubuntu target machine is running the following:


Enumeration

Port 80: HTTP
4bc4e2107dee48d883829d00e98adccc.png
The webpage above is displayed for this web application.

dd7c659d7215720eac7f1754047fc9e9.png
The source-code of this webpage contains the hidden directory /sadistRoom at line fourteen. There is also a username called Sebastian.

e6fb296a36ccde61e39586d057097cad.png
Browsing to /sadistRoom displays the webpage above. Clicking the here button outputs the key 532219a04ab7a02b56faafbec1a4c1ea to another page. Using that key, I gained access to another webpage when it prompted me to enter it.

23a657b30ee8b70a693a958a0faef8f8.png
The Locker Room webpage above is displayed once I entered the key. The goal is to decode the ciphertext Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv.

70104f1ae1b68006d58df6b5f5880cb6.png
Using an online Atbash Cipher Tool website, I obtained the plaintext Grant_me_access_to_the_map_please after decoding the ciphertext Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv.

0471f5b3cbc11c4b62a94c7a9d49b922.png
After entering the key, the webpage above is shown. The Safe Heaven page contains a hint when the source-code is viewed.

76474741b71174db5516464ff692489d.png
Performing a scan against this /SafeHeaven directory shows another hidden directory called /keeper.

2f9e7d96749a9ad3f3d7bc487e190478.png
Browsing to /keeper shows the webpage above. Pressing the Escape Keeper displays another page.

c129e6af5d7e9c9fa3caf8c761e253f7.png
Doing a Google search for this image shows it is St. Augustine Lighthouse. After inputting this text, I obtain the key 48ee41458eb0b43bf82b986cecf3af01.

e363c836ffdb69238d33b86c577af4f1.png
Inputting this key at The Abandoned Room using map.php displays the webpage above. Pressing the Go Further button displays the webpage below.

587a51f31d4893877317568cc21bb731.png
07d746f3767e088446e9585dd1df3992.png
A timer starts and the source-code of the webpage contains a hint shell. Looks like certain commands are blocked.

3588ed41f7eb232ccc7e69c034de8ddc.png
Using ls .. shows the two interesting directories highlighted above.

4b8e671a829aff53eb824e2d4fa75d22.png
I replaced the directory with one of the directories found using ls and obtained the webpage above. The file helpme.zip contains two files: helpme.txt and Table.jpg.

e7b275f10bb8569e290b3c44a4baa945.png
ae0f8096f7a9025442dabfc14bd958b7.png
The helpme.txt contains a message stating the file Table.jpg contains hidden data. Using binwalk, I extracted the hidden data Joseph_0da.jpg and key.wav inside the image.

4e2f3a6518dff728abb0935a4b99f1ce.png
The wav file contains morse code data. Using an online morse code decoder, I obtained the message showme inside this audio file.

b6774080563f34dc3f14cce21c489850.png
Using this new key, I obtained the hidden data inside Joseph_0da.jpg file. Now I have the credentials joseph:intotheterror445 of the FTP application.

d9be2c200ae918814cfe6d93f015c558.png
There are two more interesting files program and random.dic when I logged into the FTP application.

039d8927c95213c46a17b840f4411a78.png
I tried the different possible passwords from the random.dic file against the program. It worked when I used kidman. I have to decode 55 444 3 6 2 66 7777 7 2 7777 7777 9 666 777 3 444 7777 7777 666 7777 8 777 2 66 4 33.

a71b8a0c16705f182009d2a03d1e3239.png
After Googling the numbers, I decoded it using Multi-Tap Phone (SMS) and obtained the string KIDMANSPASSWORDISSOSTRANGE. This password looks like an SSH password.


Exploitation

28a89d4914dd32c8c6214618d3db809b.png
Using the credentials kidman:KIDMANSPASSWORDISSOSTRANGE I gained a foothold on the target machine using SSH.


Privilege Escalation

444be4e659650d0679e52c264ce83758.png
There are two interesting files on this user's directory, as shown above.

481c7db45d46a4be994521186c244145.png
Running find / -writable -type f 2>/dev/null shows the interesting file entries above that this user has access to.

8a8504ad3049e88b14930434613b9134.png
There is an interesting cronjob called the_eye_of_ruvik.py. I also have write privileges over this file as the current user, so I can put my reverse shell script inside it.

6c0e5f06bf0f3ee0c78bff8e0df3770d.png
I started a listener on port 8443. I put my Python reverse shell script inside this the_eye_of_ruvik.py Python file. Then after some time, I gained a root reverse shell connection on port 8443. Game over. But there is still one task left after obtaining the root.txt: defeat ruvik.

6258ebf301cb59113a90c0f93cf97999.png
And that's a wrap. GG.


Flags

9c987a3c3204f9e7db3722f02c2212b3.png
The user.txt flag once I gained a foothold on the target machine.

461762c268841c46dc69571cb479c861.png
The root.txt flag after exploiting the weak configuration cronjob script. There is only one task left: defeat ruvik.